GitHub Advisory DatabaseGHSA-R9MQ-M72X-257GResque vulnerable to reflected XSS in Queue Endpoint
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
6.1 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.6%
Impact
Reflected XSS can be performed using the current_queue portion of the path on the /queues endpoint of resque-web.
Patches
v2.6.0
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
Affected configurations
References
github.com/advisories/GHSA-r9mq-m72x-257g
github.com/resque/resque/commit/7623b8dfbdd0a07eb04b19fb25b16a8d6f087f9a
github.com/resque/resque/pull/1865
github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g
github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50727.yml
nvd.nist.gov/vuln/detail/CVE-2023-50727
Related
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
6.1 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.6%